COMMAND
quake2
SYSTEMS AFFECTED
qauke2 servers and L-Fire
PROBLEM
Roderick 'GoG' van Domburg posted following information he
collected not only from his own experiences, but with a lot of
help from the q2-serverlist and Kai Kenner "L-Fire" as well. With
all four of them a buffer overflow seems to be the issue.
The first bug seems to have been discovered just recently and
unfortunately it's already public. It's being circulated on IRC
channels and is being used to crash Quake2 servers. Because it's
a buffer overflow bug, some people have also been trying to
exploit it to violate system security. A client can crash the
server by doing a say_team chat with many say_team macro
expansions (using %L for example). If someone does a say_team
with 50 %L (say_team "%L%L%L%L%L%L%L%L%L%L%L%L%L%L%..."), the
server will crash. This bug is in the function CTFSay_Team (file
g_ctf.c). The function builds a string by expanding the % macros,
then it iterates through the clients and sends the string to each
client. If the string is too big the server crashes. In the
function Cmd_Say_f (file g_cmds.c), there is the following
statement and comment:
// don't let text be too long for malicious reasons
if (strlen(text) > 150)
text[150] = 0;
Cmd_Say_f limits the chat text to 150 characters to avoid various
problems. CTFSay_Team does not restrict the chat text and this
ultimately causes problems. You could of course also implement a
sanity check, detecting any superfluous chatmacros but that would
involve a great deal of CPU usage that may not be worth it.
The second bug is more of a nuisance, but it won't cause the
server to crash. A player can join a team and appear with the
default male/grunt skin by setting his skin to anything with two
forward slashes. For example, skin "a/b/c" or even skin "//".
Both of these bugs exist in the id CTF 1.02 source code and
possibly earlier versions. Another issue seems only to bother
the Linux version (again, 100% not sure though). If you have two
directories both containg the Lithium II 1.23 mod (haven't tried
previous versions), one being lithium and the other a random other
name, say, lithium_2 with gamedir set to lithium (because you want
to prevent clients from crashing when taking screenshots) and
enable administrator functions in the second directory, any user
can gain administrative access simply by entering 'admin' in the
Quake2 console. If this happens, the user is granted an extremely
strange and high adminlevel, often of 7 random digits. Disabling
any of the admin functions (including both admincode and
adminpassword), restricting them to IP's or limiting them to a low
adminlevel does not have any effect, setting the Quake2 server
cvar adminlist to blank doesn't work either.
SOLUTION
The first two bugs reside in id's CTF 1.02 source code, on which
basically any CTF mod is based on. From what we know, L-Fire CTF
1.04 and the upcoming 3Team CTF 1.20 (will) have this fixed,
possibly others as well. As for first bugs, immediately before
the for() loop at the end of CTFSay_Team, add the following lines:
*p = 0;
if ( strlen(outmsg) > 150) // new line added
outmsg[150] = 0; // new line added
for (i = 0; i < maxclients->value; i++) {
...
}
As for second, this bug is in the function CTFAssignSkin (file
g_ctf.c). The line:
if ((p = strrchr(t, '/')) != NULL)
should be:
if ((p = strchr(t, '/')) != NULL)
As for last one, only removing the admin.lst file in *both*
directories prevents this security error from occuring.